The researcher Craig, specialized on the embedded device hacking - demonstrated the presence of a backdoor within some DLink routers that allows an attacker to access the administration web interface of network devices without any authentication and view/change its settings.

He found the backdoor inside the firmware v1.13 for the DIR-100 revA. Craig found and extracted the SquashFS file system loading firmware’s web server file system (/bin/webs) into IDA.

Giving a look at the string listing, the Craig's attention was captured by a modified version of thttpd, the thttpd-alphanetworks/2.23, implemented to provide the rights to the administrative interface for the router.

The library is written by Alphanetworks, a spin-off company of D-Link, analyzing it Craig found many custom functions characterized by a name starting with suffix “alpha” including the alpha_auth_check.

The function is invoked to parse http request in the phase of authentication.

"We can see that alpha_auth_check is passed one argument (whatever is stored in register $s2); if alpha_auth_check returns -1 (0xFFFFFFFF), the code jumps to the end of alpha_httpd_parse_request, otherwise it continues processing the request."

Analyzing the parameters passed to the function the researcher was able to reconstruct the authentication flow, the function parses the requested URL and check if it contains the strings “graphic/” or “public/”. “graphic/” or “public/” are sub-directories under the device’s web directory, if the requested URL contains one of them the request is passed without authentication.

Another intriguing detail has been found by Craig that by changing the user-agent in a web browser to “xmlset_roodkcableoj28840ybtide,” a user could bypass the security on the device and get online or control the higher functions of the router.

Craig decided to search the code “xmlset_roodkcableoj28840ybtide” on Google and discovered traces of it only in one Russian forum post from a few years ago. Going deep in its analysis Craig was able to piece together the body of the alpha_auth_check:

int alpha_auth_check(struct http_request_t *request)

{

if(strstr(request->url, "graphic/") ||

strstr(request->url, "public/") ||

strcmp(request->user_agent, "xmlset_roodkcableoj28840ybtide") == 0)

{

return AUTH_OK;

}

else

{

// These arguments are probably user/pass or session info

if(check_login(request->0xC, request->0xE0) != 0)

{

return AUTH_OK;

}

}

return AUTH_FAIL;

}

Try to read the string xmlset_roodkcableoj28840ybtide backwards .... It appears as "Edit by 04882 Joel backdoor", very cool.

The worrying part about this vulnerability is how it can be exploited. Anyone connected to the router, whether it's through Ethernet or Wi-Fi, can simply set their browser's user agent string to a specific codeword and then attempt to access the web configuration panel.

Craig extended the results of its discovery to many other D-Link devices affected by the same backdoor, the author searched for the code present in the HTML pages on the entire Internet with the Shodan. He searched for the word "thttpd-alphanetworks/2.23", the modified version of thttpd, retrieving following search results:

After a series of test Craig concluded that the following D-Link devices are likely affected:

• DIR-100

• DI-524

• DI-524UP

• DI-604S

• DI-604UP

• DI-604+

• TM-G5240

The researcher discovered also that Planex routers, based on the same firmware, are affected by the flaw.

• BRL-04UR

• BRL-04CW

D-Link has confirmed that the flaw exists, but has refused to provide comment on how it was inserted into its products. 'D-Link will be releasing firmware updates to address the security vulnerabilities in affected D-Link routers by the end of October,' a company spokesperson explained.